* [Buildroot] [PATCH] package/squid: security bump to version 4.17
@ 2021-10-08 11:53 Peter Korsgaard
2021-10-09 9:11 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-08 11:53 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
- SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2
(CVE-2021-28116 aka ZDI-CAN-11610)
Due to an out of bounds memory access Squid is vulnerable to an
information leak vulnerability when processing WCCPv2 messages.
This problem allows a WCCPv2 sender to corrupt Squids list of
known WCCP routers and divert client traffic to attacker
controlled routers.
This attack is limited to Squid proxy with WCCPv2 enabled and
IP spoofing of a router IP address configured as trusted in
squid.conf.
For more details, see the advisory:
http://lists.squid-cache.org/pipermail/squid-announce/2021-October/000136.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/squid/squid.hash | 8 ++++----
package/squid/squid.mk | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/squid/squid.hash b/package/squid/squid.hash
index 12a9e5d293..b1a8feb78e 100644
--- a/package/squid/squid.hash
+++ b/package/squid/squid.hash
@@ -1,6 +1,6 @@
-# From http://www.squid-cache.org/Versions/v4/squid-4.15.tar.xz.asc
-md5 a593de9dc888dfeca4f1f7db2cd7d3b9 squid-4.15.tar.xz
-sha1 60bda34ba39657e2d870c8c1d2acece8a69c3075 squid-4.15.tar.xz
+# From http://www.squid-cache.org/Versions/v4/squid-4.17.tar.xz.asc
+md5 47b94b2d27516f1764c9d5dc1b9645e5 squid-4.17.tar.xz
+sha1 f6bd15fabbd67b53a831fe9f67de3279868036c1 squid-4.17.tar.xz
# Locally calculated
-sha256 b693a4e5ab2811a8a854f60de0a62afbbf3a952bb1d047952c9ae01321f84a25 squid-4.15.tar.xz
+sha256 cb928ac08c7c86b151b1c8f827abe1a84d83181a2a86e0d512286163e1e31418 squid-4.17.tar.xz
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/squid/squid.mk b/package/squid/squid.mk
index 68eff82093..a30a87e20d 100644
--- a/package/squid/squid.mk
+++ b/package/squid/squid.mk
@@ -4,7 +4,7 @@
#
################################################################################
-SQUID_VERSION = 4.15
+SQUID_VERSION = 4.17
SQUID_SOURCE = squid-$(SQUID_VERSION).tar.xz
SQUID_SITE = http://www.squid-cache.org/Versions/v4
SQUID_LICENSE = GPL-2.0+
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/squid: security bump to version 4.17
2021-10-08 11:53 [Buildroot] [PATCH] package/squid: security bump to version 4.17 Peter Korsgaard
@ 2021-10-09 9:11 ` Peter Korsgaard
2021-10-09 11:51 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-09 9:11 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> - SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2
> (CVE-2021-28116 aka ZDI-CAN-11610)
> Due to an out of bounds memory access Squid is vulnerable to an
> information leak vulnerability when processing WCCPv2 messages.
> This problem allows a WCCPv2 sender to corrupt Squids list of
> known WCCP routers and divert client traffic to attacker
> controlled routers.
> This attack is limited to Squid proxy with WCCPv2 enabled and
> IP spoofing of a router IP address configured as trusted in
> squid.conf.
> For more details, see the advisory:
> http://lists.squid-cache.org/pipermail/squid-announce/2021-October/000136.html
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/squid: security bump to version 4.17
2021-10-09 9:11 ` Peter Korsgaard
@ 2021-10-09 11:51 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-09 11:51 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>> Fixes the following security issue:
>> - SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2
>> (CVE-2021-28116 aka ZDI-CAN-11610)
>> Due to an out of bounds memory access Squid is vulnerable to an
>> information leak vulnerability when processing WCCPv2 messages.
>> This problem allows a WCCPv2 sender to corrupt Squids list of
>> known WCCP routers and divert client traffic to attacker
>> controlled routers.
>> This attack is limited to Squid proxy with WCCPv2 enabled and
>> IP spoofing of a router IP address configured as trusted in
>> squid.conf.
>> For more details, see the advisory:
>> http://lists.squid-cache.org/pipermail/squid-announce/2021-October/000136.html
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> Committed, thanks.
Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-09 11:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-08 11:53 [Buildroot] [PATCH] package/squid: security bump to version 4.17 Peter Korsgaard
2021-10-09 9:11 ` Peter Korsgaard
2021-10-09 11:51 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.